Ransomware Deployment Methods and Analysis: Views from a Predictive Model and Human Responses Gavin Hull1, Henna John2 and Budi Arief3*

Hull et al. Crime Sci (2019) 8:2 https://doi.org/10.1186/s40163-019-0097-9 Crime Science

RESEARCH Open Access Ransomware deployment methods and analysis: views from a predictive model and human responses Gavin Hull1, Henna John2 and Budi Arief3*

Abstract Ransomware incidents have increased dramatically in the past few years. The number of ransomware variants is also increasing, which means signature and heuristic-based detection techniques are becoming harder to achieve, due to the ever changing pattern of ransomware attack vectors. Therefore, in order to combat ransomware, we need a better understanding on how ransomware is being deployed, its characteristics, as well as how potential victims may react to ransomware incidents. This paper aims to address this challenge by carrying out an investigation on 18 families of ransomware, leading to a model for categorising ransomware behavioural characteristics, which can then be used to improve detection and handling of ransomware incidents. The categorisation was done in respect to the stages of ransomware deployment methods with a predictive model we developed called Randep. The stages are fngerprint, propagate, communicate, map, encrypt, lock, delete and threaten. Analysing the samples gathered for the predictive model provided an insight into the stages and timeline of ransomware execution. Furthermore, we carried out a study on how potential victims (individuals, as well as IT support staf at universities and SMEs) detect that ransomware was being deployed on their machine, what steps they took to investigate the incident, and how they responded to the attack. Both quantitative and qualitative data were collected through questionnaires and in-depth interviews. The results shed an interesting light into the most common attack methods, the most targeted operating systems and the infection symptoms, as well as recommended defence mechanisms. This information can be used in the future to create behavioural patterns for improved ransomware detection and response. Keywords: Ransomware, Cybercrime, Predictive model, Classifcation, Victim study

Introduction demand to its victim. Tis demand is usually presented Ransomware is a form of malware that blackmails its with a note that appears on the screen before or after the victim. Te name “ransomware” comes from the ran- encryption occurs, outlining the threat and accompanied som note asking its victim to pay some money (ransom) by a detailed set of instructions for making the payment, in return for gaining back access to their data or device, typically through a cryptocurrency. or for the attacker not to divulge the victim’s embar- Ransomware has had a rapid year-on-year growth of rassing or compromising information. It usually spreads new families since 2013, costing an estimated more than through malicious e-mail attachments, infected software 5 billion USD globally and growing over an expected rate apps, infected external storage devices or compromised of 350% in 2017 (Morgan 2017; Clay 2016). Te major- websites. Unlike other types of malware (which typically ity of ransomware strains target Windows operating try to remain undetected), ransomware exposes itself at systems (Mansfeld-Devine 2016) and are of the crypto- some stage of its execution in order to deliver the ransom ransomware type (Savage et al. 2015). Crypto-ransomware attacks have a greater threat than any other type of *Correspondence: [email protected] ransomware, as they can lock out a user from valuable 3 University of Kent, Canterbury, UK assets, afecting productivity and availability of services. Full list of author information is available at the end of the article

© The Author(s) 2019. This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. Hull et al. Crime Sci (2019) 8:2 Page 2 of 22

Te attacks mainly afect small and medium sized enter- understanding on ransomware deployment. Te "Results, prises (SMEs) (Savage et al. 2015) and critical infrastruc- analysis and discussion" section presents the results of ture including educational institutions and healthcare our research, in particular the predictive model of ran- trusts (Barker 2017; Dunn 2017; Heather 2017), which somware deployment involving the stages of ransomware are more likely to fall victim or founder under the pres- deployment, leading to ideas for preventive action to sure and pay to release the encrypted contents. Te num- deal with ransomware deployment threat efectively. Te ber of attacks has grown partly because malware authors results from the user study are also summarised, analysed have adopted an easy-to-use modular design of the ran- and discussed, shedding light into the ransomware vic- somware. Furthermore, Ransomware-as-a-Service (RaaS) tims’ perception and behaviour in the aftermath of a ran- products (Conner 2017; Cimpanu 2017) have become somware incident. All of these may contribute towards more readily available, which assist the attacker through better techniques in combatting ransomware. "Conclu- simplistic distribution with phishing and exploitation kits sion" section concludes our paper and presents some and a trustworthy business model. ideas for future work. Te attacks are often achieved through leveraging social engineering tactics to get a victim to download Ransomware overview and activate the binary, which evades the anti-virus scan- In 1996, Young and Yung introduced the idea of cryp- ner’s signature-based detection through oligomorphic or tovirology (Young and Yung 1996), which shows that polymorphic decryptors, metamorphic code (Szor 2005) cryptography can be used for ofensive purposes, such as or the generation of a new variant. According to Syman- extortion. Since then, this idea had evolved into ransom- tec’s reports (Savage et al. 2015; O’Brien et al. 2016), ware, and ransomware has become a growing cyber secu- phishing attacks are the prime cause of ransomware rity threat, with an increased number of infections and being activated on a victim’s computer. A likely scenario many variants being created daily. According to a Syman- of the vectors toward activation could be from an email tec report, 98 new ransomware families were found in with a payload or a link to a website that triggers a drive- 2016, more than tripling the fgure for the previous year by-download. Te downloaded binary could initiate the (Symantec: Internet Security Treat Report 2017). process of carrying out the ransom, or in cases of more Te main types of ransomware are scare, lock, crypto, sophisticated attacks, it will frst fngerprint the victim’s and wipe, where the latter was frst seen with the 2017 environment prior to dropping the malicious binary or PetrWrap attack that encrypted the Master File Table process (Lindorfer et al. 2011). (MFT) of victims, but did not unlock it after payment. Researchers have analysed ransomware variants, but Encrypting the MFT renders the content of a hard drive are yet to propose a predictive model of ransomware unusable, and is rarely used among ransomware fami- deployment methods. It is vital to have a deep under- lies. Other examples of crypto-ransomware targeting the standing of the deployment methods of ransomware to MFT include Seftad (Kharraz et al. 2015), Petya (Mans- efectively fght against them. feld-Devine 2016), and Satana (Villanueva 2016). Te Te main contribution of this paper is a predictive latter two (as well as PetrWrap) start by corrupting the model of ransomware stages, which came out from a MFT and forcing the operating system (OS) to reboot. study of 18 ransomware families by looking into Win- Like computer worms (Szor 2005; Yang et al. 2008), ran- dows Application Programming Interface (API) func- somware can self-propagate such as when TeslaCrypt tion calls during each ransomware execution. Another infected a laptop integral to a gambling website and led contribution of this research focuses on querying and to spreading itself to over 15 servers and 80 other con- interviewing ransomware victims to fnd common factors nected computers through the use of shared folders between attacks, in order to be able to generate a more (Spring 2016). Perhaps the most infamous ransomware high-level understanding of ransomware deployment is the WannaCry cryptoworm, which hit the headline in methods. May 2017, and afected more than 200,000 computers in Te rest of the paper is organised as follows. Te "Ran- 150 countries, including the UK National Health Service somware overview" section provides a more in-depth (National Audit Ofce 2017). look into ransomware, including its attack vectors, the way it may target user fles, as well as an outline of Attack vectors for distributing ransomware related work, both in understanding ransomware and Various tactics are used by ransomware attackers to get in combatting it. Te "Methodology" section outlines their victims to activate the malware, grant it elevated the two-pronged methodology used in our research, privileges, and submit to the demands. Common infec- namely the development of a predictive model of ran- tion vectors of ransomware include phishing, exploit somware deployment, and the user study to gain better kits, downloader and trojan botnets, social engineering Hull et al. Crime Sci (2019) 8:2 Page 3 of 22

tactics, and trafc distribution systems (Sgandurra et al. history and usually maps important folders, such as My 2016). Despite phishing still prevailing as the preferred Documents, Pictures, and other generic folders, as well choice for deployment (Savage et al. 2015), in 2015–2016 as the Recycle Bin (Abrams 2016a, b; Lee et al. 2017). there was a noticeable increase in the use of exploit kits, Whilst mapping, a process counts the number of mapped such as Angler, which was used to spread CryptoWall and fles, based on the extension and their location, and TeslaCrypt in 2015 (Abrams 2016a). Angler had a very reports the results to the Command & Control (C&C) high activity in the malware distribution world until the server (Hasherezade 2016). To determine the impor- arrest of its developers in 2016 (Cisco 2017). tance of the fles, the last accessed date is observed, and Due to the nature of the attacks, ransomware can be a diference is calculated between the creation and last seen as having a business model (Hernandez-Castro modifed date, both of these indicate the amount of work et al. 2017), where victims are the attackers’ custom- carried out on a fle, as well as the user’s level of interest ers who purchase decryptors or keys to regain access to (Kharraz et al. 2015). To ensure the fles are genuine, the assets. Hence, attackers should be in the mindset of tak- ransomware calculates the entropy, which is the informa- ing advantage of the victim without them noticing until tion density, of the fle names and their contents (Kharraz presented with the ransom note. Te note should deliver et al. 2016). If the entropy is too high or low, resembling a clear message that provokes or threatens the victim to random content or just padding respectively, the ransom- pay, and should have user-friendly and reliable methods ware will interpret the fle as auto-generated, and discard for the victims to follow in order to pay and regain access it from its map. After mapping, it will either request from (Andronio et al. 2015). Moreover, due to the international the C&C to start encryption along with the number of scale of the ransomware market, ransom notes need fex- fles targeted, or instantly start encrypting (Hasherezade ibility in language based on the target’s locale. 2016; Kharraz et al. 2016). Te business model breaks when either the integrity of Te ransom message may take the form of an appli- the crypto-virus’ encryption is broken, payment transac- cation, Blue Screen of Death, a text fle on the desktop, tions are denied or unsuccessful, or the encrypted fles screen-saver or other means of gaining the user’s atten- become unavailable to the decryptor. For the sake of tion. Te encryption phase has varying levels of robust- maintaining ransomware’s reputation of returning access ness, from the trivial coding of base64 to Advanced after payment, ransomware authors develop their code in Encryption Standard (AES), where the most common a modular fashion to enable simple generation of variants form is AES-256 for symmetric encryption (Savage et al. by less-skilled coders or even script-kiddies (Mansfeld- 2015; Mansfeld-Devine 2016). Additionally, the names Devine 2016; Sinitsyn 2015). Moreover, the develop- of the fles will frequently be changed to signify locking, ment of Ransomware-as-a-Service (Cimpanu 2017), has often adding an extension related to the ransomware further simplifed the process for aspiring ransomware family name. attackers, while maintaining the quality of attacks. Since 2013, ransomware has increasingly integrated fn- Related work gerprinting measures to get the time, date, language, and Many researchers (Andronio et al. 2015; Lee et al. geolocation (Savage et al. 2015) to facilitate social engi- 2016; Kharraz et al. 2016; Sgandurra et al. 2016; Zscaler neering on a global scale with ransom notes presented 2016) agree that crypto-ransomware’s typical behav- in the victim’s language. For instance, some ransomware iour involves the manipulation of fles and displaying identifes the locality and language of the targeted com- a threatening message, which can be identifed through puter and hence displays the note in that language. Te the ransomware’s use of Windows API function calls. It is least costly ransom note is text-based, however, other possible to monitor read, encrypt, and delete operations delivery mechanisms have been used including recorded called at the user-level, which are then passed onto the voice. Examples of language-sensitive ransomware kernel to the input/output (I/O) scheduler (Kharraz et al. include Reveton, with 10 translations of a text-based ran- 2016). According to (Kharraz et al. 2016) there are three som note and the March 2016 version of Cerber, which ways ransomware encrypts fles: (i) overwriting originals has 12 recorded voice ransom notes in the 12 most com- with the encrypted versions, (ii) encryption then unlink- mon languages (Clay 2016). ing of the originals, and (iii) encryption and secure deletion of the originals. How ransomware targets user fles Behavioural heuristic detection through the mapping Te signature characteristics of how ransomware targets of Windows API function calls can be useful for detect- user fles is through mapping the user environment. Tar- ing potential ransomware attacks, but it may sufer from geted fles need to be recent and of some value or impor- high false positive rates (for example, the legitimate tance, therefore ransomware may look at the recent fles owner of the fles may choose to encrypt their fles, which Hull et al. Crime Sci (2019) 8:2 Page 4 of 22

would exhibit ransomware-like behaviour). Terefore, EldeRan, which uses machine learning to classify mali- it is important to complement the behavioural heuristic cious samples based on their early behaviour. Tey have approach with techniques based on deployment charac- mapped key behavioural features to enable the detec- teristics of ransomware, including possible classifcation tion of new variants and families. Te program needs a to ransomware families. Tis will enable more subtle and few behavioural characteristics for training, for which more accurate behavioural analysis—such as a typical they used Regularised Logistic Regression classifers. sequence of actions and timing of Windows API func- Te outcome is a detection system that has less than 6% tion calls, as well as other behavioural patterns – to be error-rate, and above an average of 93% at detecting new considered before deciding whether a particular set of ransomware families. activities have a high probability of indicating a ransom- EldeRan (Sgandurra et al. 2016) works with Cuckoo ware attack, or even, it represents known behaviour of a Sandbox, machine learning and negative feedback to particular ransomware family. As ransomware families determine a set of key features for ransomware. Train- may evolve (e.g. by changing the function calls used), it ing data, consisting of benign software and malware, is important to still be able to detect potentially mali- are dynamically analysed based on fve attributes: API cious behaviour of the new variants. Our contribution is invocations, use of registry keys, fle or directory opera- through modelling the higher-level behaviour of the sam- tions, Internet download activity, and hardcoded strings. ple and analysing them to determine if they represent a EldeRan was trained in Windows XP SP3 32-bit, which is potential ransomware deployment taking place. more vulnerable than later editions of the Windows OS suite. However, since the OS has been deprecated since Tools and strategies for analysing ransomware 2014, it would have been benefcial to test or train a ver- Te development and use of sandboxes in the security sion on Windows 7 or later. Tis would have given a good industry has enabled a secure environment for the acti- comparison of how well the system works over diferent vation and analysis of malicious samples. Monitoring generations. tools are integrated into sandboxes to observe and report Identifcation of ransomware families is indeed a valu- on the sample’s behaviour at the user and kernel-level. able research angle, as demonstrated by several other Malware analysis is available online at VirusTotal. papers. Homayoun et al. (2017) used Sequential Pattern com, hybrid-analysis.com and Malwr.com, as Mining to detect best features that can be used to distin- a bare-metal sandbox such as Barecloud and BareBox guish ransomware applications from benign applications. (Yokoyama et al. 2016), and as a package such as Ran- Tey focussed on three ransomware families (Locky, Cer- Sim (KnowBe4 2017), REMnux (Zeltser 2014), Cisco ber and TeslaCrypt) and were able to identify a given ran- (Umbrella 2016; Zscaler 2016; SonicWall 2016) and the somware family with a 96.5% accuracy within 10 s of the well-known Cuckoo Sandbox (Ferrand 2015; Yokoyama ransomware’s execution. et al. 2016; Kharraz et al. 2016). Cuckoo Sandbox allows CloudRPS (Lee et al. 2016) is a cloud-based ransom- the submission of Dynamic Linked Libraries (DDLs), Java ware analysis system, which supervises an organisation’s fles, binary executables, URLs, MS Ofce documents, and activity over the internet. Based on behavioural analytics, PDFs as samples (Ferrand 2015). Several researchers have it quarantines and classifes suspicious downloads, which developed analysis systems for the detection and classifca- are analysed dynamically in a sandbox. tion of ransomware threats including Unveil (Kharraz et al. Andronio et al. (2015) developed HelDroid, which 2016), HelDroid (Andronio et al. 2015), EldeRan (Sgan- analyses and detects ransomware on Android devices, durra et al. 2016), and CloudRPS (Lee et al. 2016). where the system monitors actions involving locking, Kharraz et al. (2016) developed a ransomware detec- encryption, or displaying a ransom note. Te detection tion and classifcation system called Unveil that identifes of threatening text uses optical character recognition ransomware based on its behavioural constructs. Unveil is and natural language processing to facilitate detection fully automated, and works with Cuckoo Sandbox, where in potentially any language. Like Unveil, HelDroid moni- they submitted hundreds of thousands of malware sam- tors the ransomware’s access to system APIs for locking, ples into Windows XP SP3 virtual machines. Te analy- encryption, network activity, fle renaming and deletion. sis returned a high percentage of successful detections of Another promising approach for detecting the pres- samples of known ransomware. Te author’s approach ence of ransomware (and malware in general) is by moni- is through monitoring access patterns of the sandbox’s toring the energy consumption profle of the device. Tis flesystem at the kernel-level, as well as pattern matching approach could be more robust compared to other detec- of text in the ransom note for threatening phrases. tion techniques based on the behaviour or pattern pro- Sgandurra et al. (2016) developed an automated profle of the device, since it is harder to hide or fake energy gram for the dynamic analysis of ransomware, called consumption characteristic. A paper by Azmoodeh et al. Hull et al. Crime Sci (2019) 8:2 Page 5 of 22

(2017) demonstrated the feasibility of this energy con- Redemption uses the Windows Kernel Development sumption monitoring approach for detecting potential framework to redirect (“refect”) the write requests from ransomware apps on Android devices. Tey managed to the target fles to the copied fles in a transparent data achieve a detection rate of 95.65% and a precision rate of bufer. 89.19%, which point to the feasibility of this approach. Methodology Tools for combatting ransomware We developed a predictive model of ransomware, in Tere are also tools that can be used to protect against our attempt to characterise all variants of each family of ransomware, for example by early detection of ransom- ransomware into one model. Te process included the ware attacks in progress and/or through recovery meas- development of a classifer (to parse, classify and output ures to neutralise the need to pay the demand. Tese graphs detailing the behavioural constructs of a ransom- tools are valuable and complementary to the work we ware), as well as creating a safe environment to analyse present in this paper. Several of these tools are described the ransomware samples. below for completeness but they are not discussed fur- In conjunction to this model, we carried out a user ther in this paper. study to get a picture of ransomware deployment process. PayBreak (Kolodenker et al. 2017) took a proactive approach in combatting ransomware by implementing a Ransomware deployment predictive model key escrow mechanism in which hooks are inserted into Designing a model to predict deployment characteristics known cryptographic functions such that the relevant of all ransomware families is not a trivial task, because encryption information (the symmetric keys) can be diferent malware authors are likely to develop their code extracted. Tis approach came about from an insight that base diferently. Furthermore, there is a high chance of efcient ransomware encryption needs a hybrid encryp- code evolution and adaptation over time, as some ran- tion in which symmetric session keys are stored on the somware source code may be made available and shared victim’s computer (in particular, their key vault, which among malware authors. However, there are likely some is secured with asymmetric encryption allowing the vic- similarities among ransomware families in the fow tim to unlock the vault using their private key). After the between the stages of execution. victim’s computer is infected with ransomware, they can Te 18 ransomware families investigated in this access their vault and PayBreak attempts to decrypt the research are Cerber, Chimera, CTB-Locker, Donald encrypted fles using the symmetric session keys stored Trump, Jigsaw, Petya, Reveton, Satana, TeslaCrypt, Tor- in the vault, therefore saving the victim from paying the rentLocker, WannaCry, CryptoLocker, Odin, Shade, ransom. Locky, Spora, CryptorBit, and CryptoWall. Tese were Another approach to recover from a ransomware attack chosen based on their threat-level, amount of infections, without needing to pay a ransom is by copying a fle when originality and media coverage. Te details about three it is being modifed, storing the copy in a protected area infuential ransomware samples (TeslaCrypt, Cerber and and allowing any changes to be made to the original fle. WannaCry) are provided in "Mapping ransomware vari- Tis approach is used by ShieldFS (Continella et al. 2016), ants to the Randep model" section. which keeps track of changes made to fles. When a new We looked at the Windows Application Programming process requests to write or delete a fle, a copy is created Interface (API) function calls made by these ransomware and stored in a protected (i.e. read-only) area. If ShieldFS families, in order to understand what activities a ransom- decides later that this process is benign, the copied fle ware strain might do, and what stages it might get into. can be removed from the protected area as the assump- Tere are thousands of Windows API functions, and each tion here is that the original fle has not been encrypted sample analysed would use hundreds of those multiple by ransomware. However, if ShieldFS determines that a times, making classifcation of functions into our ran- process is malicious, the ofending process will be sus- somware deployment model a laborious process. Hence, pended and the copies can be restored, replacing the we made a collection of all functions used by samples and modifed (encrypted) versions. reduce them into a list for classifcation into the model. Redemption (Kharraz and Kirda 2017) uses a similar To enable the plugging in of functions into the model, the approach to ShieldFS, but in Redemption, fle operations category and description are gathered from Microsoft’s are being redirected to a dummy copy. Tis technique web site to decrease the load of the classifcation process; creates a copy of each of the fles targeted by the ran- either manually or automatically through an API scraper somware, and then redirects the flesystem operations developed in our research. As a result of this exercise, we (invoked by the ransomware to encrypt the target fles) developed a model called Randep, being an amalgama- to the copies, hence leaving the original fles intact. tion of ransomware and deployment. Te Randep model Hull et al. Crime Sci (2019) 8:2 Page 6 of 22

contains eight stages that pair with matching function malware is known to sleep or use stalling code to prevent calls. detection while under surveillance in a sandbox (Sikorski and Honig 2012). However, most malware authors intend Development of Randep classifer to promptly unleash the payload to avoid failure through Cuckoo generates JSON reports for each sample ana- a user restarting the machine or being detected by anti- lysed, detailing Windows API function calls, network virus software (Kharraz et al. 2016). Developments of trafc, loaded libraries, registration keys, and fle I/O hypervisors including VMware and Oracle’s Virtual- operations. Figure 1 shows a fow chart of the Randep Box have been tested and improved for faws where an classifer, which classifes Cuckoo reports into Randep attacker can escape into the physical machine or afect graphs. Five of the six main processes (parser, catego- the bare metal (Balazs 2016; Duckett 2017). A well- rise, classify, Randep map, and plot) are handled by the known and secure sandbox, Cuckoo Sandbox1 has been Randep classifer, which calls the remaining process developed with security in mind, however; some malware (web scraper), as a subprocess. Since the size of a typical is known to detect the analysis environment, and security Cuckoo report sits in hundreds of MBs, processing each analysts should take actions to defend against such vul- one on every invocation of the classifer would be costly. nerabilities (Ferrand 2015). Hence, the results are permanently stored as JSON fles It is crucial to harden the system to prevent leakage at the end of each process to decrease RAM cost, and to from guest to host. We used a tool called Pafsh (Para- extract key information about the binary. Te Randep noid Fish2), which allows security researchers to develop classifer is available online with examples from https:// VMs with anti-fngerprinting strategies. To decrease github.com/Hullgj/report-parser. the number of fags generated by Pafsh and harden the sandbox VM, we copied the system information from a Classifcation of Windows API functions into the Randep bare-metal machine into the VM’s confguration, allo- model cated 2-CPUs, 4 GB RAM, 256 GB HDD in VirtualBox, Te Randep classifer’s parser maps Windows API func- and used antivmdetection.py from github.com/ tions, signatures, registration keys, and network calls into nsmfoo/antivmdetection. categories of the eight states defned by the probabilistic Te user environment was populated with programs, Randep model. Te classifcation of functions into the fles and folders automatically using VMCloak and the states of the Randep model can be carried out manu- antivmdetection script. Te antivmdetection ally or with the use of machine learning. We considered script required a list of flenames, which can be automati- the use of machine learning as future work, but it is out cally generated using a random word generator at ran- of the scope of this paper. Te work of manual classif- domwordgenerator.com, as well as a range of size for cation has been reduced through the categorisation of the fles. Injecting the script to run on each submission functions and the API scraper’s gathering of descriptions of a sample will avoid the VM from being fngerprinted and Microsoft API web page links. Te results were com- based on information of the fles and folders. Using bined using a Python script called class_compare. VMCloak we installed programs including Adobe Reader py, which outputs any conficts of functions in diferent 9.0, Google Chrome, MS Ofce 2007, and Java 7 (some states. Tose that had a confict were discussed between of these are old or legacy software, but they are still often the team members until an agreement was reached on found in potential target machines, hence their inclusion the appropriate class for a particular function. in the VM confguration). Te classifcation of the Windows API functions into the Randep model serves as a template or skeleton for User study methodology the Randep classifer to map a ransomware sample’s As part of our research, we also wanted to ask the general function calls into states. However, further adjustments public about their experiences with ransomware attacks to the model should be made in cases where a particular to get a picture of how ransomware gets deployed. To get function fails to sufciently defne its state within to the this information, we developed questionnaires, with the Randep model. main target groups being students, SMEs in the UK, as well as universities in the UK and in the US. Sandbox hardening Sandbox hardening involves denying any malicious activity from leaking between privilege rings, or out from the virtual machine (VM) container, as well as ensuring the analysis system is not detected, and that the sample 1 https://cucko osand box.org/ . will activate. As a simple precautionary measure, stealth 2 https://githu b.com/a0rte ga/pafs h . Hull et al. Crime Sci (2019) 8:2 Page 7 of 22

Start

Cuckoo report Parser Report Parser for each binary

No Any new APIs?

Yes

Classify Report Categorise List of APIs

Web Scraper No Any API categorised?

Yes

Classify: Pop categorised APIs automated or manual Randep Model from List

Randep Map Maps of each binary

Graphs of each binary Plot

End

Fig. 1 Flow chart of Randep classifer with steps through the parser, categoriser, classifer, mapper according to the Randep model, and output of results as a graph

We wanted a clear, manageable scope, but also aimed to many organisations, hence the scope had to be decided to fnd a high number of victims for the best possible carefully. Being part of a university research project, we result. Being hit by ransomware can be a sensitive subject wanted to learn from other students and universities. Hull et al. Crime Sci (2019) 8:2 Page 8 of 22

Students are typically active online, with limited knowl- and blogs around the University. Te questionnaire was edge of the threats. While getting information from also posted on several social media sites. Te student them, we also wanted to spread awareness of ransomware questionnaire was sent out in March 2017. attacks. Te expectation was that universities and stu- Te strategy with the Universities was to gather con- dents would be more open to participate in a study contact details for the IT department of each University and ducted by other students, while at the same time, being contact them asking whether they would be willing to the likely targets. participate in our research. Only if they agreed, the link To widen the scope for more hits, we decided to include to the online questionnaire was provided. Tis strategy SMEs. SMEs are also potential targets for ransomware was used because an email coming from an unknown attacks, and they are often seen as an easy target by the source can be seen even more suspicious if it includes a attacker, due to the likelihood that they do not have a link. Universities in the UK were contacted in April–May dedicated security team, or the relaxed atmosphere in 2017, and universities in the US in June–July 2017. their operation (NCSC and NCA 2018). SME contact details were gathered from company web- We gave questionnaire respondents an opportunity sites. A similar strategy to the one with the Universities to participate in a follow-up interview to gain further was used, where frst their willingness to participate was insight into the attack, as well as a better understanding enquired. Te SMEs were contacted in June–July 2017. of the respondents’ views on ransomware. Interviews Questionnaire generation Te questionnaire was kept completely anonymous. Tree separate questionnaires were created, one for However, at the end of the questionnaire, the respond- each target group (students, SMEs and universities). Te ents were given an opportunity to provide their email questions were mostly the same, but small alterations address and volunteer for an additional interview. Eight were made considering the technical orientation of the respondents volunteered to proceed to the in-depth respondent group. Forming the questions, the assump- interview. tion was made that all participants for the student ques- Te interviews were conducted via Skype, phone or tionnaire were in higher education in the UK or in the email, depending on the respondent’s preference. Te US, and meeting the minimum university-level English questions mainly focused on getting further details of the language requirements. Additionally, the student ques- most recent attack they talked about in the questionnaire, tionnaire questions assumed that the respondents were but also on getting information about their planned and/ not technically oriented. Te university and SME ques- or implemented defence measures against ransomware tionnaires were formed with the assumption that the attacks. Te interview questions were similar in each respondents were working in the IT sector with a higher interview, but were altered based on the responses the level of technical understanding. Notwithstanding, this participants had given in the questionnaire. During each limitation was taken into consideration that respondents interview, the discussion was audio-recorded with the may perceive questions in diferent manners and have permission of the interviewee. Afterwards, the audio data diferent backgrounds. were typed for record keeping and qualitative analysis. Respondents were asked to give their consent before proceeding. If the respondent indicated that they had not Results, analysis and discussion been previously infected by ransomware, the question- Tis section presents the results and analysis of applying naire would end, otherwise questions related to when the Randep model on 18 families of ransomware, along and how the infection happened and what operating with the results and analysis of the user study. Each part systems were involved would be asked. Based on their is accompanied by relevant discussion to explain the answers, further questions were presented and some sec- fndings and insights gained from the research. tions skipped. Te fnal part was always the same, and included further details about the attack, such as how Model of predictive nature of ransomware many devices were infected and whether data could be If we look at the higher level, ransomware (in particular, recovered. crypto-ransomware) will likely have three stages: stealth (in which its main priority is to remain undetected while Questionnaire distribution it prepares the groundwork for the ransomware attack), We carried out the initial student questionnaire at our suspicious (in which it starts carrying out the damaging University. To reach the students, the communication part of the attack, but it may not be detected straight ofcers at each School were contacted, asking them to away), and obvious (in which it makes its presence known help by posting the questionnaire in diferent newsletters to its victim, namely by notifying of its demand through Hull et al. Crime Sci (2019) 8:2 Page 9 of 22

Fig. 2 Predictive model of ransomware deployment methods

a threatening message, and by deleting the victim’s fles). Lock-type ransomware would at least employ lock and Te transition at the higher level is pretty straightfor- threat stages. Te majority of new ransomware families ward: stealth, followed by suspicious and then fnally (> 95% in 2016) are of the crypto variety, therefore it is obvious. worth to focus on the actions of this type of ransomware. Looking deeper, there are several lower level stages Crypto-ransomware has at least three stages: generating that ransomware may exhibit. Tese are probabilistic in a map of fles to encrypt, encrypting them, and display- nature, in a sense that not all ransomware strains will ing a threat. We consider the mapping activities to be a have all of these stages and/or the transition sequence stealthy operation, since it would not alter the user expe- between stages may difer. Te lower level stages are: rience, whereas the encryption activities are suspicious, as they will involve a “write” operation to create a new • Fingerprint creating signatures of the OS’s features fle, and the threat is obvious to the user, as it should and determining suitability for payload deployment. spawn a window to cover the majority of the desktop to • Propagate exploring the possibility of lateral move- draw the user’s attention. ment within a network or connected devices. Each analysed ransomware sample behaved diferently • Communicate sending and receiving data from the in terms of Windows API function calls. Some started attacker’s C&C server. encrypting immediately after entering the device and oth- • Map reading the contents of suitable fles in the vic- ers spent more time on communicating, mapping, fnger- tim’s environment. printing and/or propagating. However, there were some • Encrypt encrypting potentially valuable data on the function calls that appeared in multiple results. SetF- victim’s computer. ilePointer could be seen as a part of many encryp- • Lock reducing or disabling the availability of the OS tion processes, as well as CryptEncrypt. Most samples to the victim. did some mapping or fngerprinting by enquiring system • Delete overwriting or unlinking the contents of the info by calling functions such as GetSystemTimeAs- victim’s data. FileTime. Functions NtTerminateProcess and • Treaten presenting a threatening message to force LoadStringW were also called by many samples, the the victim to pay up. former can be seen to represent the locking stage and the latter the threatening stage (displaying the ransom note). Figure 2 depicts our Randep predictive deployment Te frst functions called by the samples (prior to model of ransomware. We have also developed a Randep encryption) are the ones that could be used for ran- classifer, which maps the Window API function calls, somware detection. For example, in the case of Cerber, signatures, registration keys, and network calls into cat- the main encryption phase starts only after 330 s. Also egories of the eight stages outlined above. types like WannaCry and TeslaCrypt spend more time Hull et al. Crime Sci (2019) 8:2 Page 10 of 22

Fig. 3 Potential links between stages at lower and higher levels fngerprinting and profling their target. During this time, obvious; HStSu ⇒ HSuO . Stealth is frst due to ransom- there is a chance to stop the execution before the real ware needing to scope out a suitable environment for damage is done. Ransomware types that begin encryp- deployment, to avoid detection by anti-virus vendors, tion immediately (e.g. CryptoLocker and Satana) are and to appear as normal to the victim. Suspicious activ- more challenging to stop. Possibly, if the plug is pulled ity acts second, as the ransomware needs to hook its immediately after the device is infected, at least some process and access the required privilege level to carry fles could be saved. In other cases, such as Jigsaw, the out malicious behaviour, which might seem suspicious ransom note is displayed before encryption starts, mean- to some vigilant users. Te fnal stage is obvious, as ing the encryption phase could possibly be stopped by ransomware’s trait is to threaten the user into paying shutting down the device as soon as the ransom message the attacker’s demands as well as blocking the user’s is seen. Te function calls can be used for ransomware access to their important fles. detection in automated future solutions. At the lower level, we hypothesise potential fows either within the same high level grouping, or across Randep model case distinction diferent high level groups. For example, in the stealth high level group, the process is expected to fow as fol- Te Randep model has two levels of stages: the higher lows: HFP ⇒ HPC ⇒ HCM . In other words, the typical level denotes stealth, suspicious, and obvious, and each start to end process from fngerprinting to mapping contain other fnite stages at a lower level. Since each will go through propagation and communication stages lower level stage can be processed in parallel, it is not in between. However, we may consider P and C as straightforward to determine which process starts and optional, which means that it is possible to have HFM ends frst. So instead, we look at any edges between or HFC ⇒ HCM or HFP ⇒ HPM without going through stages measured in terms of a control fow diagram, P and/or C. In the transition between suspicious to propagation time, mutual parameters, CPU threads, call- obvious groups, the process would typically fow backs, and other processes. Our research has developed from HEL ⇒ HLD ⇒ HDT , as ransomware would start potential links for each stage at both higher and lower encrypting fles in the background. When fnished, the levels, as shown in Fig. 3. Te links between stages repre- ransomware would lock the user out, and then delete sent two hypotheses between the two connected entities, traces of the original fles and any processes, before where the direction is indicated by the order of letters in fnally delivering the threatening message. Neverthe- HFC the subscript, e.g. is a hypothesis that F (Fingerprint less, it is possible that some ransomware variants may stage) is followed by C (Communicate to C&C stage), as start showing the threatening message before encryp- HCF opposed to , in which C is followed by F. tion takes place (e.g. Donald Trump and Jigsaw ran- At the higher level of the Randep predictive model, somware), or while carrying out the encryption process we hypothesise a fow from stealth to suspicious to at the same time (e.g. Cerber and Satana). Hull et al. Crime Sci (2019) 8:2 Page 11 of 22

Preventative action hypothesis Program Files, and Python27. All encrypted fles kept the Usually the threatening message indicates that it is oblig- flenames and extensions, but the .ecc extension was atory to refrain from shutting down the computer, and appended to them. proceed with the demands, otherwise the decryption key, TeslaCrypt attempts to fngerprint and evade detec- user fles or decryption mechanism will be lost, or pay- tion through various strategies including scanning reg- ment will go up. Alternatively, ransomware that corrupts istry keys and executables for the presence of anti-virus the Master Boot Record and encrypts the MFT, such as vendors and sandbox analysis systems including Cuckoo Petya instigates a reboot into the ransom note, block- Sandbox, as well as other standard fngerprint tech- ing access to the operating system. Damage to the user’s niques. Te samples delayed the analysis for at least 4 environment occurs after the stealth group of stages have mins 20 s, through the use of a call to NtDelayExecu- been deployed. We assume that all crypto-ransomware tion, which issues a sleep command on one or more of maps their target to fnd the fles that need encryption, its processes or threads. or to read fles as part and parcel to the encrypt stage. Suspicious network activity was detected as the sam- Hence, preventative action may be more efective if it took ples attempted to connect through a TOR gateway ser- place during the map stage. vice at epmhyca5ol6plmx3.tor2web.f, a tor2web Stopping ransomware in its tracks is fairly simple if you domain name. A tor2web URL enables users to connect consider every unauthorised read or write operation on to a TOR service, however; without the use of an active your fles. However, this would entail a heavy bias toward TOR router or browser it does not anonymise the session. false-positive detections of applications such as archiv- Control fow of TeslaCrypt As shown in Fig. 4a, within ing tools, and hence decrease user experience and per- 1 s, TeslaCrypt deploys fngerprinting, communicating, formance. Tere needs to be a good balance, preferably and mapping states. Tis enables the initial setup of the with a lower false acceptance rate for computer users. malware to determine whether it is in a suitable environ- Since allowing the sample to continue past the map stage ment, to establish a channel with the C&C and start the would lead to potential damage, it would be unreasonable preliminary stages of the attack. Following is the lock- to take action on the end-point machine. ing state, in which after further inspection we notice that the malware has called NtTerminateProcess. How- Mapping ransomware variants to the Randep model ever, it is clear this is not restricting the use of the desk- Te Randep classifer produces graphs of timestamps of top, and has been removed from the fow control graph. Windows API function calls per sample, as well as graphs At 41.89 s the encrypting state follows locking, however; that have been classifed according to the Randep model. looking at the function calls we see an early call to Get- We analysed 18 diferent ransomware families, three of FileInformationByHandleEx, while the rest of them (TeslaCrypt, Cerber and WannaCry) were analysed the functions in that state start after 428 s. Since Get- in depth, due to their high infection rate and date of dis- FileInformationByHandleEx is a borderline func- covery being around a year apart from 2015 to 2017. tion call and could also be classed in the mapping state, we have removed it from TeslaCrypt’s fow model, which TeslaCrypt amends the start of encrypting to 428.48 s. Another Tree variants of TeslaCrypt were analysed. Te key adjustment is to the threatening state, which started identifers include deploying techniques to evade analysis writing to the console with SendNotifyMessageW environment, fngerprinting, communicating to known at 42.21 s, but did not draw the graphical user interface malicious IP addresses and domain names, connecting to (GUI) with the ransom note until 470 s. Te revised state a hidden service through TOR, injecting binaries, adding fow model is shown in Fig. 4b with a fow in the order as itself to the list of start-up programs, modifying the desk- follows: fngerprinting, communicating, mapping, delet- top wallpaper, dropping known ransom notes, replacing ing, encrypting, propagating and threatening. over 500 fles, and deleting the shadow copy of user fles. Te fow model of TeslaCrypt has a long deploy- Key identifers of TeslaCrypt Te Randep classifer ment time from mapping the user environment to the processed the reports generated from Cuckoo Sand- start of any suspicious or obvious class activity. Look- box and gathered 28 signatures, which mainly involved ing at the function call fow, as shown in Fig. 5, the fngerprinting, fle handling, and network activity. Te state starts with a call to GetFileType, but most of malware reportedly encrypted 2290 fles, which was the functions in that state are called from 41 s to 45 s. indicated through a successful call to MoveFileWith- One signifcant function that carries out mapping is ProgressW, which took place in folders including the NtReadFile, which reads data from a fle into a bufer, user’s root, Desktop, Documents, Downloads, Pictures, and is called 2333 times; just 43 times more than the Public, Videos, Recycle Bin, AppData, MSOCache, number of fles encrypted. Te NtResumeThread Hull et al. Crime Sci (2019) 8:2 Page 12 of 22

a tesla-16's API Startand EndTimes Start Time End Time

encrypting locking communicating mapping propagating fingerprinting deleting threatening − − 0 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 320 340 360 380 400 420 440 460 480 500 520 540 560 580 600 620 640 40 20

Time (s)

b teslacrypt-98's API Start and End Times Start Time End Time encrypting communicating mapping propagating fingerprinting deleting threatening − 40 − 0 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 320 340 360 380 400 420 440 460 480 500 520 540 560 580 600 20

Time (s) Fig. 4 TeslaCrypt propagation of states start and end times, showing a original and b the revised version

teslacrypt-98-mapping'sAPI Startand End Times Start Time End Time GetVolumeNameForVolumeMountPointW NtQueryInformationFile FindFirstFileExW GetFileAttributesW NtReadFile GetFileType NtCreateFile SHGetFolderPathW NtQueryDirectoryFile LoadResource WriteProcessMemory GetFileSize GetShortPathNameW GetFileSizeEx NtOpenFile NtCreateSection DeviceIoControl GetFileAttributesExW GetVolumePathNamesForVolumeNameW − 0 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 320 340 360 380 400 420 440 460 480 500 520 540 560 20

Time (s) Fig. 5 Start and end times of Windows API function calls in the mapping state of the Randep model for TeslaCrypt

function, which resumes a previously delayed thread, is InternalW function with the following command line: C 32 . ”d called for the frst time at 472.43 s. Shortly after, a call “ :\Windows\System \vssadmin exe eleteshadows/ all/Quiet to DeleteFileW starts the deleting state, followed . Te encrypting state shows the malware’s call by states of encrypting and propagating. At 429.28 s, to CryptAcquireContextW to get the handle to the TeslaCrypt deletes the shadow copy of Window’s back- cryptographic key shortly followed by MoveFileWith- ups through a silent execution of the CreateProcess- ProgressW, which signifes the replacement of original Hull et al. Crime Sci (2019) 8:2 Page 13 of 22

a cerber-27's APIStart andEnd Times Start Time End Time

encrypting locking communicating mapping propagating fingerprinting deleting threatening 10 0 12 0 14 0 16 0 18 0 −2 50 0 30 0 32 0 34 0 36 0 38 0 20 20 0 22 0 24 0 26 0 28 0 0 60 80 40 40 42 44 46 48 0 0 0 0 0 0 Time (s)

b cerber-27's APIStart andEnd Times Start Time End Time encrypting locking communicating mapping propagating fingerprinting deleting threatening 1.95 2 2.05 2. 2.15 2. 2.25 2. 2.35 2. 0 0.05 0. 0.15 0. 0.25 0. 0.35 0. 0.45 0. 0.55 0. 0.65 0. 0.75 0. 0.85 0. 0.95 1 1.05 1. 1.15 1. 1.25 1. 1.35 1. 1.45 1. 1.55 1. 1.65 1. 1.75 1. 1.85 1. 1 2 3 4 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9

Time (s) Fig. 6 Cerber Ransomware start and end times of states of Randep model showing a the full-view and b the start, zoomed-in

fles with ones that are encrypted. Te replacement of Cerber modifying 87 fles located in directories includ- 2290 fles takes 41.27 s, i.e. approximately 55 fles/s. ing root, AppData, Desktop, Documents and custom ones spanning from root. Te modifed fles involved Cerber the use of function calls to MoveFileWithPro- Key indicators of Cerber’s maliciousness include fnger- gressW, where the names are scrambled and the printing, self-decryption, mapping the user environ- extensions are changed to .85f0. ment, creating fles, attempting to access network shares, Control fow of cerber Looking at Fig. 6a, b, we see the injecting itself into other processes, and attaching to a fow of Cerber between states that start in order of fn- modifed DLL. Te sandbox detected a network trojan gerprinting, mapping, propagating, communicating, going from the sandbox to 178.33.158.4 and 178.33.158.9 encrypting, threatening, locking, and deleting. Te frst on port 6893. Te malware attempted to connect to a six states occur over 310 s sooner than locking and delet- server with an IP range 178.33.158.0–178.33.163.255. ing. Figure 6b shows a zoomed-in section of the start of Files were deleted, the background was changed showing the process, and clearly shows the ordering of the frst six the ransom note, and a notepad showed the threatening states. message as well as instructions how to pay and release Tis sequence of events contradicts the hypothesis of the documents. the Randep model, shown in "Randep model case distinc- Key identifers of cerber Te parser gathered 22 signa- tion" section. Despite encryption activating after map- tures from the analysis, which mainly involved evasion, ping, it appears signifcantly close to the other states in fngerprinting, networking and fle handling function- the stealth class of the Randep model. Treatening state ality. Cerber tries to detect an analysis system through also appears unusually close to the stealth class, and out- checks for the presence of Cuckoo Sandbox’s Python of-order by coming before locking, which is in the suspicious class of the model. Further analysis of the function scripts agent.py and analyzer.py, whether there is any human activity, as well as the name, disk calls related to encryption and threatening should reveal size, memory size, and other qualifying attributes of this discrepancy with the hypothesis of the Randep the machine. Te fle handling functionality involved model, and Cerber’s expected behaviour. Hull et al. Crime Sci (2019) 8:2 Page 14 of 22

cerber-27-encrypting's API Start and End Times Start Time End Time

CryptCreateHash CryptHashData GetFileInformationByHandle SetFileAttributesW CryptDecodeObjectEx GetTempPathW CryptAcquireContextW MoveFileWithProgressW NtSetInformationFile GetFileInformationByHandleEx CryptEncrypt

325 330 335 340 345 350 355 360 365370 375380 385 390395 400405 410415 420425 430435 Time (s) Fig. 7 Cerber Ransomware start and end times of Windows API function calls within the encryption state of the Randep model

Te encryption of fles begins with CryptEncrypt and is active from 1.6 s to 340.5 s. Te function typically and CryptAcquireContextW at 329 s and ends with creates directories in the Windows user environment, a call to MoveFileWithProgressW, which is called and is not solely tied to the encryption process. Omission from 343 s to 427 s. Tis means the encryption of 87 fles of this function from the Randep model would put the took around 98 s, or 0.88 fles/s. threatening state before encryption. Te function calls of the threatening state are spread Tis analysis has discovered that Cerber uses function out from just after the start and almost at the end of the calls of LoadStringW and SendNotifyMessageW sample’s behaviour analysis. Most of the function calls to trigger a response from the user to activate a pro- start within 40 s after the activation of the binary, where cess, which explains their early activation at 2 s and 29 the ones closest include LoadStringW, DrawTex- s, respectively. Despite generating a warning to the user, tExW and SendNotifyMessageW. Cerber uses Load- and being obvious, they are not part of the ransom note. StringW to read parts of the accompanying JSON fle Tese two could have been placed in a new state called that stores the confguration settings of the attack vec- social engineering. tors. It also uses the function to feed strings into message Te DrawTextExW function is part of the threatening windows, such as for social engineering a response from class and generates the ransom note, but also wrote to the victim, one example includes the following: Cerber’s JSON log. Tis happened in two stages; feeding the log at 16 s and writing the ransom notes from 415 to “No action needed. Windows found issues requiring 471 s. your attention. Windows is actively checking your system for maintenance problems”. WannaCry Cerber then sends the message to the user via SendNo- Two samples of WannaCry were analysed. Te main sig- tifyMessageW as a pop-up notifcation. natures to identify the malware’s maliciousness include Te DrawTextExW is called 53 times, 10 times at under its ability to unpack itself, anti-sandbox strategies, fn- 17 s and 43 times at 471 s, being only 3 s before the end of gerprinting, manipulation of fles and folders, and setup the sample’s activity. For the initial 10 calls, Cerber gets of the TOR router. Over 500 fles were encrypted, the the date and time information and writes it to a report desktop background was changed to the message of the for communicating with the C&C. Te fnal 43 calls are ransom, and a graphical user interface popped-up in the used to write the fle names of the dropped ransom notes, foreground of the user’s screen. including “R_E_A_D___T_H_I_S___6MZZ6GL_- Another variant of WannaCry, called mssecsvc.exe Notepad”. Some function calls exhibited behaviour was also analysed. It carries out checks on the kill-switch that might not ft well with the Randep model’s predic- domain name, and scans for open RDP connections. tion, including CreateDirectoryW, LoadStringW Te sandbox was setup without modifying the hosts fle and SendNotifyMessageW, and some earlier calls to to make the HTTP GET request to the kill-switch time- DrawTextExW. out, and without any open RDP connections. Te sample As shown in Fig. 7, the majority of the function calls scored 3.6 out of 10, and carried out four DNS lookups for encryption are clustered from 329 s to 430 s, with the on: www.iuqerfsodp9ifjaposdfjhgosurijfae- exception of CreateDirectoryW, which is not shown wrwergwea.com which is the domain name used for Hull et al. Crime Sci (2019) 8:2 Page 15 of 22

the kill-switch. Since the address is still registered, the kill-switch domain, however; the function calls involved sample died. with that process are considered communication states. Te process mssecsvc.exe sends datagrams over Accordingly, communication passes the domain name UDP to the subnet mask of its IP block on ports 137 and as a parameter and calls InternetOpenA and WSAS- 138. Tese ports are some of the default ones for Net- tartup as the frst function call in the mssecsvc. BIOS, where 137 is used for the name resolution services exe’s analysis; see the graph in Fig. 8c. Prior to starting and 138 for the datagram services. For Windows oper- encryption, WannaCry fngerprints the system infor- ating systems on Windows 2000 or later those ports act mation with calls to GetNativeSystemInfo, it also as a backup for the SMB service and should be blocked. gets the system time, and memory status. Te memory Nevertheless, the malware attempts to establish a con- check could be a requirements check for starting the nection with another computer using NetBIOS, which is encryption process, or just to detect the presence of a known for fle and printer service sharing over an Inter- sandboxed environment. net connection. Te communication state creates a server and binds Key identifers of WannaCry WannaCry has similar it to 127.0.0.1 after 87 s, which WannaCry uses to send attributes to most ransomware, with the exception of its and receive packets over the TOR network. Te mal- propagation ability across local networks and the Inter- ware uses TOR in an attempt to anonymize its network net. Te report parser gathered 23 signatures, most of data, and to avoid detection. At 106.59 s, the malware which are similar to those found with Cerber, with the makes a call to LookupPrivilegeValueW, which addition of an anti-sandbox sleep mechanism, getting gets the privilege value and name of the logged-on the network adapter’s name, installing TOR, and bind- user’s locally unique identifer (LUID). In the propa- ing the machine’s localhost network address to listen gation state we see the use of OpenSCManager after and accept connections. Te malware enforced a sleep of 107 s, which opens a connection and the service control an average 18 min 47 s, which delayed the analysis until manager database on a given computer. Ten after 17 s that time had lapsed. Afterwards, WannaCry encrypted the local server is shutdown. the user’s fles by mapping generic user account fold- WannaCry starts encryption early with a call to ers, the recycle bin, AppData and the root folder. It used SetFileTime, it then sets up a new handle for the RSA-AES encryption on 3129 fles, appending a .WNCRY Cryptographic API functions, and decrypts a 16-byte to every locked fle, where the function used to replace string. Te encryption of fles begins at 2.84 s with the encrypted with originals was MoveFileWithPro- a call to CryptGenKey, CryptExportKey and gressW. Te malware also used WMIC.exe to get and CryptEncrypt (see Fig. 9). CryptEncrypt car- delete the shadow copy of the user’s fles. ries out the encryption of the fles from 2.84 to 60.83 Control fow of WannaCry Due to the modular s. Te encrypted contents are temporarily stored in the approach of WannaCry’s implementation, and the use system’s default temporary folder, and the encrypted of threads to carry out processes, we see all states apart fles replace the originals with a call to MoveFile- from deleting starting before a second has passed. Look- WithProgressW at 3.68 s. Te encryption ends when ing at the fow of states, mapping and threatening are the the original fle has been replaced, which is noted by frst to start; both begin at 32 ms, shortly followed by the end of MoveFileWithProgressW at 143.88 s. encryption at 94 ms. Tereafter it follows: communicat- Hence the 3129 fles encrypted took around 141 s, i.e. ing, fngerprinting, propagating, and locking, fnishing 22 fles/s. with deleting at 2.84 s. Te malware spawns a cmd.exe process with- Fingerprinting starts much later than predicted by out showing the window to quietly delete the the hypothesis, which said it would start frst. Te ini- shadow copy of the fle system, as follows: tial part of fngerprinting would be the check to the

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete& bcdedit /set {default} bootstatuspolicy ignoreallfailures& bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet Hull et al. Crime Sci (2019) 8:2 Page 16 of 22

Start Time a wannacry-95's API Start and End Times End Time

encrypting locking communicating mapping propagating fingerprinting deleting threatening

0102030405060708090 100 110120 130140 150160 170180 190 200 210220 Time (s)

b wannacry-95's API Start Times Start Time

encrypting locking communicating mapping propagating fingerprinting deleting threatening 1 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 3 2 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

Time (s)

c wannacry-propagation-94-communicating's API Start and End Times Start Time End Time

closesocket GetAdaptersAddresses getsockname NtDeviceIoControlFile InternetOpenUrlA WSAStartup InternetOpenA InternetCloseHandle CoCreateInstance setsockopt GetBestInterfaceEx socket CoUninitialize CoInitializeEx 1. 1. 1. 3 3. 3. 3. 3. 3. 3. 3. 3. 3. 2 2. 2. 2. 2. 2. 2. 2. 2. 2. 4 4. 7 8 9 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 1

Time (s) Fig. 8 Randep states of WannaCry ransomware, showing a full-view, b zoomed-in, and c WannaCry’s mssecsvc.exe process analysis showing communicating functions

Te command is executed at 104.69 s, but the process the GUI is populated frst with two countdown timers is created later at 116.55 s. and call to actions including “Time Left” and “Payment Te frst time that the user becomes aware of the will be raised on”. Tis technique attempts to create a threat is when the malware makes a call to DrawTex- sense of urgency in the victim meeting the attacker’s tExW 86.87 s, with a bufer containing Wana Decryp- demands. tor 2.0, which is the window title of the GUI shown to the victim. Later calls show that the left hand side of Hull et al. Crime Sci (2019) 8:2 Page 17 of 22

wannacry-95-encrypting's API Start and End Times Start Time End Time CreateDirectoryW CryptAcquireContextA CryptAcquireContextW CryptDecrypt CryptEncrypt CryptExportKey CryptGenKey GetFileInformationByHandle GetFileInformationByHandleEx GetTempPathW MoveFileWithProgressW NtSetInformationFile SetFileAttributesW SetFileInformationByHandle SetFileTime 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100 105 110 115 120 125 130 135 140 145 150 155 160 165 170 175 180 185 190 195 200 205 210 215 220

Time (s) Fig. 9 Encryption states of WannaCry Ransomware

TeslaCrypt Deployment stages of statesfor ransomware samples Cerber WannaCry

threatening deleting locking encrypting mapping communicating propagating fingerprinting

01234567 Stage Fig. 10 Graph showing the stages of deployment for TeslaCrypt, Cerber and WannaCry according to the states of the Randep model

Comparing the three ransomware samples in the Randep early warning signs of crypto-ransomware is through model the use of mapping API functions. To compare the behaviour of these three ransomware strains (TeslaCrypt, Cerber and WannaCry), we pro- duce a graph mapping a sequence of events (from 0 Results and analysis from the user study to 7) for these strains according to the Randep model. Out of 1090 potential respondents contacted, 147 Figure 10 shows that out of the eight states, none of acknowledged our request, 72 agreed to participate, the three ransomware strains match completely, six although only 46 gave a response in the questionnaire in have pairings, and two have no matches across the the end. Out of these 46 respondents, 28 said that they board, which backs up the Case Distinction discussed had experienced at least one ransomware attack. in "Randep model case distinction" section. TeslaCrypt From the respondents, eight volunteered to participate and Cerber both put fngerprinting at stage 0 and in an interview; four universities, three SME compa- encrypting at stage 4, which fts with the null hypothe- nies and one student. In the following sub-sections, the sis. All three put communicating and mapping between results from the questionnaire are presented in the form stage 0 and 3, which fts with the hypothesis of the of graphs, and the highlights from the interviews are higher level of the Randep model. All that showed signs summarised. of locking put it between stage 6 and 7, ftting in the obvious class of the Randep model. Additionally, all Analysis of the data from the user study carried out mapping prior to encryption. Terefore, Te frst questions in the questionnaire were to do with the approximate date of the attack, the operating system of the infected device and the way ransomware was Hull et al. Crime Sci (2019) 8:2 Page 18 of 22

30 27

10 66

5 33 111 0 Linux Android IOS MacOSWindows XP Windows 10 Windows 8Windows 7 Operating Systems Fig. 11 Breakdown of operating systems afected by ransomware

Table 1 Number of infected devices 21.4% Number of devices Number of occurrences 7.1% 0 1 1 17 7.1% 2 3 3 2 28.6% 5 1 10 3 +

35.7% attachment (35.7%) being more common than a malicious link (28.6%). Clicking a link on a website In 63% of the cases reported in our study, the ransom- Exploiting a vulnerable part or weakness ware did not propagate; infection was limited to only one Unknown device within the organisations (Table 1). Nearly 77% of Clicking a link in a email respondents could access their fles after the attack. In Opening an attachment in an email 69.7% of the cases, the means to recover fles was from backup, only one respondent having paid the ransom Fig. 12 Ransomware entry method (Fig. 13). Te most common frst signs of infection reported were the desktop being locked, fles going missing and suspected to have entered the network. In 27 out of 48 Microsoft Ofce software crashing or failing to open fles cases, a device with Windows 7 operating system was (see Table 2 for the full list of infection signs). involved (Fig. 11). Some responses included more than Students were asked an additional question on whether one operating system, hence the number of answers in the term “ransomware” was familiar to them. Out of 50 this graph exceed the number of total responses (those respondents, 28 (56%) answered “no”. attacked) for the questionnaire. Te ransomware entry method was enquired only in Interviews the questionnaires for universities and companies. A total We had the chance to interview four security experts of 28 responses were received for this question (compul- from universities and three from SMEs. Also, one stu- sory question), of which 6 chose unknown. As Fig. 12 dent agreed to give an interview. In the student interview, presents, the majority (64.3%) stated that the ransom- the questions focused on gaining a deeper understand- ware entered from a malicious email message; malicious ing of how the attack occurred and what, if any, were the Hull et al. Crime Sci (2019) 8:2 Page 19 of 22

videos online. Te ransom message included a loud noise 15.2% demanding attention, stating that device has been locked, 6.1% accompanied by a phone number for technical support to unlock the device. Te “technical support” posed as a 6.1% Microsoft team and demanded a payment for their services. Te person on the phone got remote access on the 3% device and seemingly unlocked it. Te victim felt the loud noise made the situation more threatening and caused a panic reaction making them call the number immediately. Te message did not include a demand for a ransom payment, the money was only asked on the phone. 69.7% At the time, the victim did not have an external backup, but as a lesson learned, they are now more aware of the Paid Ransom importance of basic security hygiene, including having a regular external backup. Reverse engineered Based on the interviews, universities seem more likely Contacted relevant authorities to be targeted by ransomware than companies. Univer- Other sity staf contact details, including email addresses, are commonly available online, making targeted attacks eas- Recovered data from backup ier. An IT expert from one university stated that emails Fig. 13 Recovery after ransomware incident represent approximately three quarters of the attack vectors. Tey mentioned that some attackers even used email address spoofng in their attack. Among the interviewed organisations, a pattern could Table 2 First signs of ransomware infection be observed. In most cases, the organisations had had only basic defences in place prior to them being infected Sign of infection Number of occurrences by ransomware. Tese defences include a frewall and anti-virus software. Most had implemented or were in Desktop was locked 10 the process of implementing more advanced systems. Some fles went missing 10 A new tool that was brought up in the interviews was Ofce software such as MS Word and Excel crashed or 9 Sophos InterceptX, including CryptoGuard capabilities. failed to open fle Also, in addition to systems and software, the organisa- Starting up took much longer than usual 5 tions were putting emphasis on enhancing processes and Computer crashed 4 user education on security issues. Computer started to overheat and became very slow 4 In respect of technical solutions, the common opin- Antivirus software was disabled or took longer to start 2 ion among experts was that endpoint security should be up prioritised. Many attacks are successfully stopped at the Screen or display started to jitter 2 network level. With current tools, malicious attachments Computer restarted without my consent 1 are mostly captured before they reach the end user. Due Noticed fles starting to encrypt on network share 1 to this, when it comes to phishing, attackers are focus- Browser window popups appeared 1 ing increasingly on email links rather than attachments. Intrusion detection system sent alerts about connec- 1 tions to blacklisted IP addresses, vulnerable ports, or Tis trend also highlights the importance of user educa- suspicious DNS queries tion to prevent clicking of malicious links. It was also said User reported system performance issue 1 that global headlines on ransomware attacks have helped bring awareness and raise interest in the topic among users. Te majority of the contacted organisations were planning to improve staf/student training further. lessons learned. Te questions for the experts were more During one interview, an important viewpoint was technical (e.g. also querying the organisations’ defences brought to our attention regarding admin policies. Run- against malicious attacks), given the level of experience ning everyday operations with admin privileges gives they had. ransomware more capabilities to operate on the device Te student’s ransomware incident was a case if infected. Lower privileges can limit, if not stop, the where the device got locked after attempting to watch damage a ransomware attack can cause. Many of the Hull et al. Crime Sci (2019) 8:2 Page 20 of 22

interviewed organisations were in the middle of restrict- desktop was locked. In many cases, when the frst sign is ing the policies for giving out admin policies. observed, it is already too late. Other common signs were missing fles and being unable to open fles. Tese signs Conclusion can be viewed as red fags and should lead to an immedi- In this work, we analysed 18 families of ransomware in ate reaction. If noticed in time, damage may be limited. order to come up with a model for ransomware deploy- Te results validate the importance of extensive ment we call Randep. Te model was developed from backup. Having an of-line backup in a separate loca- background knowledge of Windows APIs, common ran- tion is one of the best ways to ensure the safety of data. somware traits, and threat intelligence of ransomware In most cases post infection, the afected device needs to authors’ evolving strategies. At the higher level, there be wiped clean and rebuilt. A promising trend observed are three phases in ransomware execution, starting from from our user study is that only in one case was the ran- stealth operations, to suspicious activities, and fnally som demand being paid. Paying the ransom does not obvious actions. Each of these higher level stages may be guarantee decryption of fles and only fnances criminals composed of several lower level stages, which are proba- for further attacks. bilistic in nature (by this we mean not all ransomware will One of the goals of conducting this research was exhibit all of them, and the sequence of actions involving spreading the knowledge of the threat that ransomware these stages may difer). Te stealth stage includes fn- imposes, especially to younger people such as university gerprinting, propagating, communicating, and mapping. students. Tis proved to be a sensible goal as 56% of stu- Te suspicious stage includes encrypting and locking dents who took part in our study were not familiar with activities, while the obvious stage involves deleting and the term prior to the questionnaire. However, the ques- threatening actions. tionnaire was delivered to the students before the Wan- We have identifed the mapping stage as an early warn- naCry ransomware incident afecting the UK National ing sign prior to encryption, hence for a more efective Health Service became a headline news. Were the solution, we recommend to put in place countermeasures responses given after the attack, the results would likely that can be activated before the mapping activities are have been quite diferent. completed. Surprisingly, most of the ransomware families Treat intelligence predicts ransomware attacks will exhibited some form of fngerprinting, and this could be continue to rise. However, with insight and analysis into local or remote diagnosis of the machine. the behaviour of ransomware, we should be able to iden- Tis paper also presents a user study into ransom- tify key areas to thwart any incoming attack. Te Randep ware deployment through questionnaire and in-depth model can act as a template to illustrate the stages of interview involving stakeholders from universities and deployment of ransomware, and it can be used as an SMEs. Ransomware developers have numerous ways to agent for detecting early warning signs of variants of execute attacks. Based on our research, in the past few ransomware. years the most common attack vector has been via email, more specifcally through email attachments. However, Future work the experts interviewed in this research suggested that We will conduct a detailed analysis of the timing and the attackers are moving more into using email links due to sequence pattern of the stages of ransomware deploy- the increased use of tools fltering out suspicious attachment in order to come up with efective countermeasures ments from emails. In the interviews, experts pointed out for the characteristics exhibited. that user education and endpoint security are the most Te Randep model could be further validated with important focus points in fghting ransomware, due to more ransomware samples, as well as testing the detec- email still being highly used in ransomware distribution. tion of early warning signs when submitting benign pro- Another matter to consider in organisations is the programs that carry out encryption, such as WinZip. cess of handing out admin privileges. Furthermore, other threat intelligence modelling such Also worth noting is the proportionally high number of as Cyber Kill Chain [which has been shown by Kiwia cases where the ransomware entry method was unknown et al. (2017) to be useful for creating a taxonomy that can to the user. Tis phenomenon came up in many of the be used for detecting and mitigating banking trojans] can interviews as well: ransomware often resembles normal be integrated into the Randep model to improve its accu- user activity and does not announce itself until fles have racy. Tis will also require more ransomware samples to been encrypted and a ransom note is displayed. Also, be collected and analysed, in order to develop a more up- some variants may sleep before activating, making the to-date ransomware taxonomy. efort to trace back to the entry point challenging. One Te API scraper decreased the load for classifying APIs of the most common frst signs of infection was that the into stages for the Randep model, which was carried out Hull et al. Crime Sci (2019) 8:2 Page 21 of 22

manually, but could also be done automatically through Balazs, Z. (2016). Malware analysis sandbox testing methodology. Le Journal de la Cybercriminalité et des Investigations Numériques 1. machine learning. A text classifer could parse the Barker, I. (2017). Uk health trusts hit by ransomware attacks. http://betanews. description generated by the API scraper to place it into a com/2017/01/17/uk-health-ransomware/. Accessed: 2018-6-26. suitable stage. Tis would further increase the autonomy Cimpanu, C. (2017). New raas portal preparing to spread unlock26 ransomware. Retrieved June 26, 2018, from https://www.bleepingcompute of the system, enabling classifcation on the fy. r.com/news/security/new-raas-portal-preparing-to-spread-unlock26- ransomware/. Cisco: Cisco 2017 annual cybersecurity report. Tech. rep., Cisco Systems, Inc., Abbreviations San Jose, CA (2017). AES: Advanced Encryption Standard; API: Application Programming Interface; Clay, J. (2016). Ransomware growth will plateau in 2017, but attack methods C&C: Command and Control; DLL: Dynamic Linked Library; GUI: Graphical and targets will diversify. Retrieved June 26, 2018, from http://blog.trend User Interface; IO: Input/Output; LUID: Locally Unique Identifer; MFT: Master micro.com/ransomware-growth-will-plateau-in-2017-but-attack-metho File Table; OS: Operating System; RaaS: Ransomware-as-a-Service; Randep: ds-and-targets-will-diversify/. Ransomware Deployment; SME: Small and Medium-sized Enterprise; VM: Conner, B. (2017). Ransomware-As-A-Service: The Next Great Cyber Threat? Virtual Machine. Retrieved June 26, 2018, from https://www.forbes.com/sites/forbestech council/2017/03/17/ransomware-as-a-service-the-next-great-cyber-threa Authors’ contributions t/. All of the work presented in this paper is part of the MSc project at the School Continella, A., Guagnelli, A., Zingaro, G., De Pasquale, G., Barenghi, A., Zanero, S. of Computing, University of Kent by Gavin Hull and Henna John, both were & Maggi, F. (2016). Shieldfs: a self-healing, ransomware-aware flesystem. supervised by Budi Arief. All authors read and approved the fnal manuscript. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 336–347. ACM. Author details Duckett, C. (2017). Microsoft Edge used to escape VMware Workstation at 1 2 Deloitte, London, UK. Accenture Cyber Fusion Center, Helsinki, Finland. Pwn2Own 2017. www.zdnet.com/article/microsoft-edge-used-to-escap 3 University of Kent, Canterbury, UK. e-vmware-workstation-at-pwn2own-2017. Accessed: 2017-04-03. Dunn, J.E. (2017). Us college pays \$28,000 to get fles back after ransom- Acknowledgements ware attack. Retrieved June 26, 2018, from https://nakedsecurity.sopho Part of the work presented in this paper has been funded by the UK Engineer- s.com/2017/01/10/us-college-pays-28000-to-get-fles-back-after-ranso ing and Physical Sciences Research Council (EPSRC) Project EP/P011772/1 mware-attack/. on the EconoMical, PsycHologicAl and Societal Impact of RanSomware Ferrand, O. (2015). How to detect the cuckoo sandbox and to strengthen it? (EMPHASIS). Journal of Computer Virology and Hacking Techniques, 11(1), 51–58. https:// doi.org/10.1007/s11416-014-0224-9. Competing interests hasherezade: Cerber ransomware—new, but mature. Retrieved June 26, 2018, The authors declare that they have no competing interests. The views and from https://blog.malwarebytes.com/threat-analysis/2016/03/cerbe opinions expressed are of those of the authors and do not necessarily refect r-ransomware-new-but-mature (2016). the views and opinions of Deloitte LLP, Accenture, or the University of Kent. Heather, B. (2017). London trust fends of 19 ransomware attacks in 12 months. Retrieved June 26, 2018, from https://www.digitalhealth.net/2017/01/ Availability of data and materials london-trust-fends-of-19-ransomware-attacks-in-12-months-2/. The data, tables and fgures presented in the paper are embedded directly Hernandez-Castro, J., Cartwright, E. & Stepanova, A. (2017). Economic into the pdf fle of the submission. These are available to be supplied sepa- Analysis of Ransomware. Retrieved June 24, 2018, from https://arxiv.org/ rately if needed. pdf/1703.06660.pdf. Homayoun, S., Dehghantanha, A., Ahmadzadeh, M., Hashemi, S. & Khayami, R. Funding (2017). Know abnormal, fnd evil: Frequent pattern mining for ransom- Budi Arief receives funding from the UK EPSRC project EP/P011772/1 on the ware threat hunting and intelligence. In: IEEE Transactions on Emerging EconoMical, PsycHologicAl and Societal Impact of RanSomware (EMPHASIS). Topics in Computing. Kharraz, A. & Kirda, E. (2017). Redemption: Real-time protection against Publisher’s Note ransomware at end-hosts. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 98–119. Springer. Springer Nature remains neutral with regard to jurisdictional claims in pub- Kharraz, A., Arshad, S., Mulliner, C., Robertson, W.K. & Kirda, E. (2016). UNVEIL: A lished maps and institutional afliations. Large-Scale, Automated Approach to Detecting Ransomware. In: USENIX Security Symposium, pp. 757–772. Received: 2 July 2018 Accepted: 14 January 2019 Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L. & Kirda, E. (2015) Cutting the gordian knot: A look under the hood of ransomware attacks. In: DIMVA 2015, 12th Conference on Detection of Intrusions and Malware & Vulner- ability Assessment, Springer, pp. 3–24. https://doi.org/10.1007/978-3-319- 20550-2_1. References Kiwia, D., Dehghantanha, A., Choo, K. K. R., & Slaughter, J. (2017). A cyber kill Abrams, L. (2016a). Teslacrypt decrypted: Flaw in teslacrypt allows victim’s to chain based taxonomy of banking trojans for evolutionary computational recover their fles. https://www.bleepingcomputer.com/news/security/ intelligence. Journal of Computational Science, 27, 394–409. teslacrypt-decrypted-faw-in-teslacrypt-allows-victims-to-recover-their KnowBe4: Ransomware simulator. Retrieved June 26, 2018, from https://www. -fles/. Accessed: 2018-6-26. knowbe4.com/ransomware-simulator (2017). Abrams, L. (2016b). The cerber ransomware not only encrypts your data but Kolodenker, E., Koch, W., Stringhini, G. & Egele, M. (2017). Paybreak: defense also speaks to you. Retrieved June 26, 2018, from https://www.bleep against cryptographic ransomware. In: Proceedings of 2017 ACM on Asia ingcomputer.com/news/security/the-cerber-ransomware-not-only- Conference on Computer and Communications Security, pp. 599–611. encrypts-your-data-but-also-speaks-to-you/. ACM. Andronio, N., Zanero, S. & Maggi, F. (2015). Heldroid: Dissecting and detecting Lee, J.K., Moon, S.Y. & Park, J.H. (2016). Cloudrps: a cloud analysis based mobile ransomware. In: International Workshop on Recent Advances in enhanced ransomware prevention system. The Journal of Supercomput- Intrusion Detection, Springer, pp. 382–404. ing pp. 1–20. Azmoodeh, A., Dehghantanha, A., Conti, M., & Choo, K. K. R. (2017). Detecting Lee, M., Mercer, W., Rascagneres, P. & Williams, C. (2017). Player 3 has entered crypto-ransomware in iot networks based on energy consumption foot- the game: Say hello to ’wannacry’. Retrieved June 26, 2018, from http:// print. Journal of Ambient Intelligence and Humanized Computing, 23, 1–12. blog.talosintelligence.com/2017/05/wannacry.html. Hull et al. Crime Sci (2019) 8:2 Page 22 of 22

Lindorfer, M., Kolbitsch, C. & Comparetti, P.M. (2011) Detecting environment- Symantec: Internet Security Threat Report (ISTR) - Volume 22, April 2017. sensitive malware. In: International Workshop on Recent Advances in Retrieved June 24, 2018, from https://www.symantec.com/content/dam/ Intrusion Detection, pp. 338–357. Springer. symantec/docs/reports/istr-22-2017-en.pdf (2017). Mansfeld-Devine, S. (2016). Ransomware: Taking businesses hostage. Network Szor, P. (2005). The art of computer virus research and defense. London: Pearson Security, 2016(10), 8–17. https://doi.org/10.1016/S1353-4858(16)30096-4. Education. Morgan, S. (2017). Ransomware damage report. Cybersecurity Ventures, Menlo Umbrella, C. (2016). Waste less time fghting ransomware attacks. Retrieved Park, CA: Tech. rep. June 26, 2018, from https://learn-umbrella.cisco.com/solution-briefs/ National Audit Ofce: Investigation: WannaCry cyber attack and the NHS. waste-less-time-fghting-ransomware. Retrieved June 24, 2018, from https://www.nao.org.uk/wp-content/ Villanueva, M.J. (2016). Ransom Satana. Retrieved June 25, 2018, from https uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS. ://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ranso pdf (2017). m_satana.a. NCSC and NCA: The cyber threat to UK business 2016/2017 report. Retrieved Yang, Y., Zhu, S. & Cao, G. (2008). Improving sensor network immunity under November 16, 2018, from www.nationalcrimeagency.gov.uk/publicatio worm attacks: A software diversity approach. In: Proceedings of the ns/785-the-cyber-threat-to-uk-business/fle (2018). 9th ACM International Symposium on Mobile Ad Hoc Networking and O’Brien, D., Power, J. P., Wallace, S., Rab, A., Neville, A., Anand, A., Wueest, C., Tan, Computing, MobiHoc ’08, pp. 149–158. ACM, New York, NY, USA. https:// D., Lau, H., DiMaggio, J., Graziano, J., O’Brien, L., Cox, O., Coogan, P., Meckl, doi.org/10.1145/1374618.1374640. S. & Chong, Y.L. (2016). White paper: 2016 internet security threat report. Yokoyama, A., Ishii, K., Tanabe, R., Papa, Y., Yoshioka, K., Matsumoto, T., et al. Tech. rep.: Symantec Corporation. (2016). SandPrint: Fingerprinting malware sandboxes to provide intel- Savage, K., Coogan, P. & Lau, H. (2015). The evolution of ransomware, symantec ligence for sandbox evasion (pp. 165–187). Cham: Springer. https://doi. security response. org/10.1007/978-3-319-45719-2_8. Sgandurra, D., Muñoz-González, L., Mohsen, R., & Lupu, E. C. (2016). Automated Young, A. & Yung, M. (1996) Cryptovirology: Extortion-based security threats Dynamic Analysis of Ransomware: Benefts. ArXiv e-prints: Limitations and and countermeasures. In: IEEE Symposium on 1996. Proceedings of use for Detection. Security and Privacy, pp. 129–140. IEEE. Sikorski, M., & Honig, A. (2012). Practical malware analysis: the hands-on guide to Zeltser, L. (2014). Malware analysis essentials using remnux w/ lenny zeltser. dissecting malicious software. San Francisco: No Starch Press. Retrieved June 26, 2018, from https://www.sans.org/webcasts/malwa Sinitsyn, F. (2015). Teslacrypt 2.0 disguised as cryptowall. https://securelist re-analysis-essentials-remnux-w-lenny-zeltser-98045. .com/teslacrypt-2-0-disguised-as-cryptowall/71371/. 14 July 2015, Zscaler, N. (2016). White paper: Ransomware is costing companies millions. Accessed: 2018-6-26. could it cost you your job? Tech. rep., Zscaler, 110 Rose Orchard Way, San SonicWall: Comprehensive gateway. Tech. rep., SonicWall, Inc., Santa Clara Jose, CA 95134, USA. (2016). Spring, T. (2016). Diary of a ransomware victim. https://threatpost.com/diary -of-a-ransomware-victim/117877/. Accessed: 2018-6-26.

Ready to submit your research ? Choose BMC and benefit from:

• fast, convenient online submission • thorough peer review by experienced researchers in your ﬁeld • rapid publication on acceptance • support for research data, including large and complex data types • gold Open Access which fosters wider collaboration and increased citations • maximum visibility for your research: over 100M website views per year

At BMC, research is always in progress.

Learn more biomedcentral.com/submissions